toothpicker icon indicating copy to clipboard operation
toothpicker copied to clipboard

Published 20 hours ago verified publisher icon seemoo-lab

LEAP corpus

Open jsmif opened this issue 5 months ago • 0 comments

Hello. I don't understand your description of the LEAP protocol and how a full packet looks like in your WOOT 2020 paper. I was hoping to gain clarity by looking at your LEAP corpus. But it looks like it hasn't been posted along with the other corpus?

Can you specify how a LEAP version request is sent? (Rather than how the data that comes back looks, which is what's in the paper.)

My guess is that it's an L2CAP message with

length = 13
CID = 0x2A
opcode = 0x01
4CC = 'LEAP'
protocol_version = 0x0001 (little endian)
Apple_ID = 0x004c (little endian)
HW = 0x7005 (from paper, not sure on endianness but I tried both ways)
SW = 0x0D30 (from paper, not sure on endianness but I tried both ways)

But when I send this, I get back from an iPhone what looks like a LEAP version request/response but with the HW/SW fields set to all 0s, or from a Mac I get back an opcode 8 error message. So perhaps I understand the format but Apple has just stopped leaking information via this message type in response to your paper?

jsmif avatar Sep 09 '24 14:09 jsmif